[Samba] Samba 3.0.28a PDC and Vista Clients
I'm trying to get my samba PDC to work with Vista clients. I'm thinking it's because of NTLMv2. I would rather not disable that on the clients if possible. I tried: client ntlmv2 auth = yes in the config file but that didn't work. I can login to the domain but it doesn't see my profile. But I know it works because after I'm logged in I navigate to my profile path and I can write/delete to that directory. Any ideas? Do I need more in my smb.conf? Thanks for your help. Jason Waters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.28a PDC and Vista Clients
maybe it's because samba stores the profile for vista into another directory, I think it's defaults to profilepath/user.v2 There are directives in smb.conf to select the correct path. regards Am Dienstag, 4. November 2008 15:17:09 schrieb Jason Waters: I'm trying to get my samba PDC to work with Vista clients. I'm thinking it's because of NTLMv2. I would rather not disable that on the clients if possible. I tried: client ntlmv2 auth = yes in the config file but that didn't work. I can login to the domain but it doesn't see my profile. But I know it works because after I'm logged in I navigate to my profile path and I can write/delete to that directory. Any ideas? Do I need more in my smb.conf? Thanks for your help. Jason Waters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
WG: [Samba] Samba 3.0.28a PDC and Vista Clients
Did you have profile files written? With Xp it is profiles.V2. I made my profile-path reside in the home directories of the users And it worked on the fly Ex: [homes] path=/windows/winuser/%U [profiles] path=/windows/winuser/%U/profile Greetings Daniel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Jason Waters Gesendet: Dienstag, 4. November 2008 15:17 An: samba@lists.samba.org Betreff: [Samba] Samba 3.0.28a PDC and Vista Clients I'm trying to get my samba PDC to work with Vista clients. I'm thinking it's because of NTLMv2. I would rather not disable that on the clients if possible. I tried: client ntlmv2 auth = yes in the config file but that didn't work. I can login to the domain but it doesn't see my profile. But I know it works because after I'm logged in I navigate to my profile path and I can write/delete to that directory. Any ideas? Do I need more in my smb.conf? Thanks for your help. Jason Waters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trusted to work PDC howto
samba 3 by example.pdf? Adam McCarthy wrote: I have already setup a Samba PDC out of version 3.0.x but it's basically rigged together because I had to use like 3 howtos together to finally figure out what they were actually doing. I have tried much Google searching to find a way better guide, but no luck. Is there a tried and test guide that is referred to all who ask the question? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 ACL inheritance trouble
On 2008-11-04 14:59, Jeremy Allison wrote: On Tue, Nov 04, 2008 at 02:16:24PM +0100, Peter Rindfuss wrote: Hi, Since 3.2.4 (maybe earlier, but I doubt it), one important feature does not work anymore for me: I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the Advanced dialog of the Windows ACL editor and unchecked the flag Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Afterwards, I could remove or change ACLs as needed. If I do this now, ACLs that exist on the next higher directory level re-appear after having deleted them. Are there changed configuration options or am I missing something else here? Breaking inheritance is very important in our system as we often need to restrict access to subdirectories. At the moment, I can only try to modify ACLs on the Linux level in order to get the desired behavior. Can you help me determine when this behavior changed ? 3.2.3 has a small change here that might affect this, but I'd be very interested to know if this was in 3.2.0, 3.2.1 or 3.2.3 (when it was introduced). I'm travelling at the moment with no access to Windows VM's to test this with, so if you need me to reproduce it'll have to wait until next monday (US Pacific time). Sorry, not possible. 3.2.x was introduced here when upgrading from Suse 10.0 to OpenSuse 11.0. OpenSuse 11 comes with 3.2.0, I think, but when we went to production use, we already had installed 3.2.4. That was 2 weeks ago. The (maybe earlier, but I doubt it) in my original post makes no sense as we did not test it with any earlier version than 3.2.4. I found some possibly discussion at http://webui.sourcelabs.com/samba/issues/5052 Best, Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba utilization monitoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I use BB with a user-contributed script to check out Samba servers. You can find that probably on DeadCat. Kristian Davies wrote: What tools do people use to monitor their samba server? I realise the use of top, ntop (I recently heard of iftop) and smbstatus but I was thinking more along the lines of historical data and possibly web based nagios/cacti style. Any suggestions? Cheers, Kristian - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJEGjVmb+gadEcsb4RAiiFAJ9pO3n80dMJSNpy0Y1cVMfndMm9dwCgp2Pd /d2i3Y0XUy+WuFXd68R89Tk= =XDRq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Confusing behavior of hosts allow/hosts deny in Samba 3.0.28/3.2.4
I saw some unexpected behavior in the interaction of hosts allow and hosts deny on Samba 3.0.28. I built Samba 3.2.4 just to be sure it wasn't something that had been fixed. I saw the same behavior. I'm not sure if it is a bug or a failure on my part to understand the documentation or misleading documentation. If I have a share defined as [export] comment = exported storage path= /export # admin users = boehm hosts allow = boehm-1 hosts deny = boehm-3 oplocks = no level2 oplocks = no guest ok= no create mask = 0775 directory mask = 0775 map archive = no writeable = yes Then host boehm-1 has access and boehm-3 is denied access. The odd part is that every other host now has access as well (e.g., boehm-2) Now, if I had only hosts allow and no hosts deny, only host boehm-1 would have access. hosts allow= boehm-1 # hosts deny = boehm-3 The confusing part, to me, was that adding hosts deny for a single host suddenly opened up the share to every host that wasn't in hosts deny, regardless as to whether they were in hosts allow. The man page for smb.conf has an example for both hosts allows and hosts deny Example 4: allow only hosts in NIS netgroup foonet, but deny access from one particular host hosts allow = @foonet hosts deny = pirate Note Note that access still requires suitable user-level passwords. See testparm(1) for a way of testing your host access to see if it does what you expect. This doesn't mention that every host but pirate will have access, not just those in @foonet. I see this as a bug but I wonder if I am missing something. -- Eric M. Boehm /\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0.28a PDC and Vista Clients
I use LDAP and it has \\fileserver\profile$ as the profile path. In samba the profile share has /opt/domain/homes/%U/profile. After I'm logged in I can write to \\fileserver\profile$ so it isn't a permission thing. Any other idea? Jason Waters -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of odi Sent: Tuesday, November 04, 2008 9:57 AM To: samba@lists.samba.org Subject: Re: [Samba] Samba 3.0.28a PDC and Vista Clients maybe it's because samba stores the profile for vista into another directory, I think it's defaults to profilepath/user.v2 There are directives in smb.conf to select the correct path. regards Am Dienstag, 4. November 2008 15:17:09 schrieb Jason Waters: I'm trying to get my samba PDC to work with Vista clients. I'm thinking it's because of NTLMv2. I would rather not disable that on the clients if possible. I tried: client ntlmv2 auth = yes in the config file but that didn't work. I can login to the domain but it doesn't see my profile. But I know it works because after I'm logged in I navigate to my profile path and I can write/delete to that directory. Any ideas? Do I need more in my smb.conf? Thanks for your help. Jason Waters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba utilization monitoring
On Tue, 2008-11-04 at 10:46 +, Kristian Davies wrote: What tools do people use to monitor their samba server? I realise the use of top, ntop (I recently heard of iftop) and smbstatus but I was thinking more along the lines of historical data and possibly web based nagios/cacti style. Any suggestions? OpenNMS http://www.opennms.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba utilization monitoring
What tools do people use to monitor their samba server? I realise the use of top, ntop (I recently heard of iftop) and smbstatus but I was thinking more along the lines of historical data and possibly web based nagios/cacti style. Any suggestions? Cheers, Kristian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.2.4 ACL inheritance trouble
On Tue, Nov 04, 2008 at 02:16:24PM +0100, Peter Rindfuss wrote: Hi, Since 3.2.4 (maybe earlier, but I doubt it), one important feature does not work anymore for me: I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the Advanced dialog of the Windows ACL editor and unchecked the flag Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Afterwards, I could remove or change ACLs as needed. If I do this now, ACLs that exist on the next higher directory level re-appear after having deleted them. Are there changed configuration options or am I missing something else here? Breaking inheritance is very important in our system as we often need to restrict access to subdirectories. At the moment, I can only try to modify ACLs on the Linux level in order to get the desired behavior. Can you help me determine when this behavior changed ? 3.2.3 has a small change here that might affect this, but I'd be very interested to know if this was in 3.2.0, 3.2.1 or 3.2.3 (when it was introduced). I'm travelling at the moment with no access to Windows VM's to test this with, so if you need me to reproduce it'll have to wait until next monday (US Pacific time). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: WG: [Samba] Samba 3.0.28a PDC and Vista Clients
Ok I think I figured out what was going on. Vista takes whatever is set for your profile and looks for a .v2 after it. So since I had my profile set in LDAP as \\fileserver\profile$, it was looking for \\fileserver\profile$.v2. So I created a new share in my smb.conf and edited the other profile$ share. So in LDAP for each user I have \\fileserver\profile$ for the profile path, and this is my smb.conf [profile$.v2] comment = User profiles Vista path = /opt/domain/homes/%U/profile/vista read only = no [profile$] comment = User profiles XP/2000 path = /opt/domain/homes/%U/profile/xp read only = no Thanks for your help, I hope this helps someone! Jason Waters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba utilization monitoring
I use BB with a user-contributed script to check out Samba servers. You can find that probably on DeadCat. BMC Patrol Both look quite comprehensive but I should have added that I was looking for something that was more open source/free. -Kristian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems mixing public / private shares on windows
Michal Sawicz wrote: Hi guys, I'm trying to have some shares available for everyone and some other only available to authenticated users, here's an excerpt from my config file: [global] workgroup = WORKGROUP server string = Server log file = /var/log/samba/log.%m max log size = 50 guest account = nobody map to guest = bad user security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no dns proxy = no dos charset = 852 unix charset = UTF-8 [mnt] path = /mnt/%U public = no write list = %U valid users = @group It's all fine when I use smbclient or nautilus through gvfs - when I try to access anonymous shares, it opens without a password prompt, when I try to access the 'mnt' share it asks for a username / password and opens the correct /mnt/username dir. On windows, however, I can't access the authenticated share - windows says that 'You might not have access to the share' and that 'You can't use different users to access different shares' - maybe that's a problem? What am I doing wrong? Or is it impossible to do like that? dear all i prefer following command on windows client to reconnect with diffrent credential. net use * /delete thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Getting a list of users mapped to IP addresses they are logged in from
Hi There, We have a samba setup as a domain controller using a LDAP backend. We also have a BDC setup on a cross-atlantic subnet with LDAP replication and so forth. We also have a company Wiki which at the moment uses the same LDAP database to authenticate users. I am looking for a way to remove the need to manually login to the Wiki. After all, the person has already logged into their machine. Instead, i am trying to find some way of asking Samba who is logged in from IP 1.2.3.4? and using this to determine if they are authenticated to use the Wiki. I have looked at net status sessions and this sort of works. However, it has two problems: 1. Each user has their home share automatically mapped by Samba. But, for speed, each home share is mapped to the machine that serviced the login request - meaning some shares are listed on the PDC and some on the BDC, meaning I would have to query each machine or use a dummy share that was on the PDC only. Could probably work around this, but... 2. For some reason, the machines don't like being left idle. After some period of time, the listings in net status sessions disappear for a given machine. The only way to get them back is to open My Computer on the machine - which seems to reconnect the sessions. I guess this is Windows doing some sort of timeout. Does any one know of a better way? Or is their some magic reg key I can add to the machines to stop them dropping the sessions off? Many thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo -greturn incomplete list
Hello, I've a trouble with my Samba (3.0.10-1.4E.11) on a RHEL4. This Samba was joined in a Windows AD Domain without problem. Bellow, an extract of the smb.conf (without the share) [global] workgroup = ONE realm = MYDOM.COM netbios aliases = srv0001 server string = SRV0001 / Intranet Applications Server security = DOMAIN password server = PWDSRV01, PWDSRV02, PWDSRV03, * algorithmic rid base = 10 pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 4 log file = /var/log/samba/%m.log max log size = 1000 debug pid = Yes debug uid = Yes max xmit = 65535 socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 add user script = /usr/sbin/useradd %u -g smbusers delete user script = /usr/sbin/userdel %u os level = 33 preferred master = No local master = No domain master = No dns proxy = No wins server = xx.xx.xx.xx yy.yy.yy.yy ldap ssl = no idmap uid = 10-9 idmap gid = 10-9 template shell = /bin/bash winbind separator = / winbind enable local accounts = Yes winbind use default domain = Yes winbind nested groups = Yes create mask = 0775 nt acl support = No printing = lprng print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j lppause command = lpc hold '%p' %j lpresume command = lpc release '%p' %j queuepause command = lpc stop '%p' queueresume command = lpc start '%p' This domain, ONE.MYDOM.COM has bidirectionnal relationships with other domains ... TWO.MYDOM.COMTHREE.MYDOM.COM...etc, ... When I ask a list of domains with wbinfo -m, the result is : [EMAIL PROTECTED] samba]# wbinfo -m SRV0001 BUILTIN TWO THREE FOUR FIVE . . . [EMAIL PROTECTED] samba]# I see all the trusted domain, well, but I don't see the ONE domain ! A wbinfo -g command return me only trusted domains groups ... never groups of the primary ONE domain It seems that everything is working fine ... (see below) [EMAIL PROTECTED] samba]# wbinfo -n ONE/user01 S-1-5-21-6776287-1952083785-2110791508-497344 User (1) [EMAIL PROTECTED] samba]# wbinfo -S S-1-5-21-6776287-1952083785-2110791508-497344 100020 [EMAIL PROTECTED] samba]# wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] samba]# wbinfo -a ONE/user01%good_password plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] samba]# wbinfo -a ONE/user01%bad_password challenge/response password authentication failed error code was NT_STATUS_WRONG_PASSWORD (0xc06a) error messsage was: Wrong Password Could not authenticate user ONE/user01 with challenge/response [EMAIL PROTECTED] samba]# Except accessing groups and users of the primary domain ONE ... and I need to access these groups to include them in ACLs When I try a wbinfo -g, I see the following message in winbindd.log : [2008/11/04 11:30:25, 3, pid=22415, effective(0, 0), real(0, 0)] nsswitch/winbindd_group.c:get_sam_group_entries(536) get_sam_group_entries: could not enumerate domain groups! Error: NT_STATUS_ACCESS_DENIED Is it related ? Any help would be appreciated. Thanks a lot in advance and regards. Christian PIGNOL 04 73 67 48 65 Notice: This e-mail message, together with any attachments, contains information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan, as Banyu - direct contact information for affiliates is available at http://www.merck.com/contact/contacts.html) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.2.4 ACL inheritance trouble
Hi, Since 3.2.4 (maybe earlier, but I doubt it), one important feature does not work anymore for me: I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the Advanced dialog of the Windows ACL editor and unchecked the flag Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Afterwards, I could remove or change ACLs as needed. If I do this now, ACLs that exist on the next higher directory level re-appear after having deleted them. Are there changed configuration options or am I missing something else here? Breaking inheritance is very important in our system as we often need to restrict access to subdirectories. At the moment, I can only try to modify ACLs on the Linux level in order to get the desired behavior. Thanks in advance for help Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Workstation joins domain but user cannot log in SMB-LDAP
Hi List, I've done a little bit of SaMBa in the past, but new to LDAP, so bear with me please. (It is a lengthy post...) I've (loosely) followed this guide here: http://www.rrcomputerconsulting.com/view.php?article_id=3 My server is a Ubuntu 8.04 LTS (up-to-date) running : OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:08:50) [EMAIL PROTECTED]:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd Samba Version 3.0.28a Kernel : 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008 i686 GNU/Linux I got to the point where things should fall together but they don't... What is working: On the server: Anonymous checking what is available works: smbclient -L localhost Password: EMPTY Anonymous login successful Domain=[SRECENGINEERING] OS=[Unix] Server=[Samba 3.0.28a] ... snip I was also able to succesfully join a laptop to the domain. The system even shows up in LDAP ldapsearch -x -b dc=srecengineering,dc=int | grep lpt # lpt-5$, Computers, SRECENGINEERING.INT dn: uid=lpt-5$,ou=Computers,dc=SRECENGINEERING,dc=INT cn: lpt-5$ uid: lpt-5$ Then trouble started, I created a user using /usr/sbin/smbldap-useradd A ldapsearch returns the user. BUT I cannot log in using that user on a Win XP SP3. The system could not log you on... Googling things points to troubles between ldap / samba and groupmap net groupmap list Domain Admins (S-1-5-21-415917906-1882792140-1713642741-512) - Domain Admins Domain Users (S-1-5-21-415917906-1882792140-1713642741-513) - Domain Users Domain Guests (S-1-5-21-415917906-1882792140-1713642741-514) - Domain Guests Domain Computers (S-1-5-21-415917906-1882792140-1713642741-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators In /var/log/samba/log.LPT-5 I see: [2008/11/04 14:19:04, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users But is NOT all bad because using 'root' to log in on the WinXP laptop 'works'. (There are still some err messages in the samba logs, but I see a Z: drive on the laptop pointing to the SaMBa server) What else? I also see a lot of these: Nov 4 11:53:13 SRV-2 slapd[9261]: = bdb_equality_candidates: () not indexed ( are diff 'fields like gidNumber, sambaSID etc) My smb.conf [global] workgroup = SRECENGINEERING server string = fileserver (%h) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no ldap admin dn = cn=admin,dc=srecengineering,dc=int ldap suffix = dc=srecengineering, dc=int ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u domain logons = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . logon path = logon script = allusers.bat socket options = TCP_NODELAY [homes] comment = Home directories path = /data/home browseable = yes read only = no create mask = 0700 directory mask = 0700 valid users = %S hide dot files = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes read only = yes share modes = no [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no I confirmed that the smbldap are in /usr/sbin my slapd.conf in /etc/ldap/ include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd/slapd.args logfile /var/log/slapd.log loglevel 256 modulepath
Re: [Samba] 3.2.4 ACL inheritance trouble
On Tue, Nov 04, 2008 at 04:23:03PM +0100, Peter Rindfuss wrote: Sorry, not possible. 3.2.x was introduced here when upgrading from Suse 10.0 to OpenSuse 11.0. OpenSuse 11 comes with 3.2.0, I think, but when we went to production use, we already had installed 3.2.4. That was 2 weeks ago. The (maybe earlier, but I doubt it) in my original post makes no sense as we did not test it with any earlier version than 3.2.4. I found some possibly discussion at http://webui.sourcelabs.com/samba/issues/5052 Ok, thanks. Can you log a bug for me at bugzilla.samba.org so I can track this when I get back to the USA. Cheers, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Not able to remove inherited ACL's on folders and files
Hi All, I am using samba 3.2.4 on CentOS 5.2, configured as a domain member of windows 2000 active directory. My problem is I am not able to remove any inherited ACL's on the folders and files from windows XP client. I unchecked Inherit from parent the permission entries that apply to child objects. Include these with entries with explicitly defined here and selected Copy option in the next dialog box and then I hit apply, it is successful so far and I get not inherited in inherited from column. Now when I try to remove an inherited ACL entry, it comes back again after I hit apply. Any help or ideas really appreciated. Thank you very much, Chandra -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problems joining a domain with a large number of DCs
I'm having issues joining samba to a domain with a large number of domain controllers. The domain is a mixed windows 2003/windows 2008 domain. The samba server is Solaris 10 update 5 running on SPARC. I have a custom samba build of samba 3.0.28 on the server because we need Tobi Oetiker's samfs patch. Because of the issue that version has with passwords longer than eight characters on Solaris, I've also build samba 3.0.24 for using net to join the domain. Using net from 3.0.24, I'm able to join the domain in the customary net ads join -U [EMAIL PROTECTED] way. A windows admin confirms that the account is created in active directory, and that it's enabled. When I net ads testjoin, however, it fails with the following error: [2008/11/04 15:39:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/11/04 15:39:50, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed Join to domain is not valid: Logon failure Some googling around suggested that this might be caused by inconsistencies in the information in the DCs on a large domain, so I followed the suggestion to remove the machine account completely, create it by hand, manually synch the DCs, and then try. Various invocations of net ads join caused account disablement and the same error as above. Digging further into the kerberos error, I can kinit a user on the domain without difficulty, and when I subsequently klist, I see some tickets. I can kdestroy and kinit, and tickets reappear. Could anybody suggest what else I should look at? Is this a kerberos issue, a samba issue with caching the credentials, or something else? Thanks, ~Eric here's the stuff net pulls from the config file when it runs: [2008/11/04 15:39:29, 3] param/loadparm.c:do_section(3778) Processing section [global] doing parameter aio read size = 1 doing parameter aio write size = 1 doing parameter workgroup = FOO doing parameter server string = MSR Server doing parameter security = ADS doing parameter log file = /var/samba/log/log.%m doing parameter max log size = 50 doing parameter password server = server1 server2 server3 doing parameter realm = FOO.DOMAIN.COM doing parameter passdb backend = smbpasswd doing parameter preferred master = no doing parameter dns proxy = no doing parameter encrypt passwords = yes doing parameter winbind separator = + doing parameter winbind use default domain = yes doing parameter winbind enum users = no doing parameter winbind enum groups = no doing parameter idmap uid = 1-2 doing parameter idmap gid = 1-2 I'll post logs if people want to see 'em. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [Solution] samba v2 works, v3 does not - Unix groups
Thanks to Redhat support who supplied the answer. I had two problems -- a winbindd was starting up when I had no need to use it(I think). Turning it off properly (chkconfig) made things consistent(but not working) The fix was simple as I knew it should (everyone else must have it working) I just couldn't work out what. The smb.conf entries didn't have the server name in front of the group. From RH support=== In smb.conf you want to use - valid users = @AD_DOMAIN\webadmin, @Netbios Name\staff write list = @Netbios Name\staff I knew that v3 needed the active directory domain when using group access \\AD_DOMAIN\groupname but I wanted the unix groups. I overlooked the other one because we don't have netbios anywhere Well, it appears that the Netbios Name is the Unix hostname (not FQDN) by default and I needed @HOSTNAME\staff and all worked. The Netbios Name can be defined in smb.conf (I don't know why unless your hostname is too long or something to make it an invalid netbios name) Pete Peter Glassenbury (CSSE) wrote: Shifting from a v2 samba server to v3 - Read documentation and googled LOTS but can't seem to find the bits that apply to my simple(?) server with regards to groups. # rpm -qi samba Version : 3.0.28 Vendor: Red Hat, Inc. Release : 1.el5_2.1 Source RPM: samba-3.0.28-1.el5_2.1.src.rpm Samba on server (Red Hat Enterprise Linux 5.2) IS MOSTLY WORKING... home directories authenticating correctly to Active Directory, then supplying Unix disk to windows clients. Mounting correctly. read write OK testparm works fine..no errors THE PROBLEM : === Other samba shares (eg www) mount, and are browsable and read and writeable IN PART... they don't take note of the secondary Unix group permissions By this I mean user fred in the ldap password entry has default group staff and the file mode permissions for staff do work. User fred is also in group webadmin in the ldap unix group. These do NOT work. If I change fred in ldap to be default group webadmin, the group permissions for webadmin now work. (but staff do not :-( ) The following entry for www shows (in comments) the variations I have attempted. (before the testparm does its stuff). read/write list also been commented out. to try and rely only on Unix group but no improvement. [www] comment = WWW directory path = /export/netfs/www ; valid users = +staff ; valid users = fred, john, mary public = no writable = yes read list = +staff, +webadmin write list = +staff, +webadmin create mode = 0775 # ### The file.with only other shares removed. # more /etc/samba/smb.conf [global] workgroup = UOCNT realm = CANTERBURY.AC.NZ server string = CSSE Samba security = ADS log file = /var/log/samba/%m.log max log size = 300 local master = No wins server = eth0:IP_address, eth0:Alternate_IP_Address hosts allow = 127., 132.181., 10. [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0750 [www] comment = WWW directory path = /export/netfs/www read list = +staff, +webadmin write list = +staff, +webadmin read only = No create mask = 0775 = -- --- Peter Glassenbury Computer Science department [EMAIL PROTECTED] University of Canterbury +64 3 3642987 ext 7762 New Zealand -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to set file/folder permission flexibly in Samba
Dear Jeremy, Thanks very much for your reply. Using posix acls maybe can set permissions for different users, but the control right still on manager's hand, while on users' hand, that is, user still cannot control the permission by themselves. And you referred 3.2.x, do you mean that if I want to let user control the files permission by themselves with nt acl support, I need to upgrate samba to 3.2.x? Thanks. Meanwhile, if I upgrade samba to 3.2.x, I still need to set folders on the same level of /Dept while not under /Dept, because folders under /Dept will inherit the permissions. Please advise. Thank you very much. Best Regards Andy Zhou/ICILSZX _ From: Jeremy Allison [mailto:[EMAIL PROTECTED] To: Andy Zhou/ICILSZX [mailto:[EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Tue, 04 Nov 2008 09:43:16 +0800 Subject: Re: [Samba] How to set file/folder permission flexibly in Samba On Mon, Nov 03, 2008 at 01:59:29PM +0800, Andy Zhou/ICILSZX wrote: Hi All, I am using Samba 3.0.10 on IBM server with REHL 4 Os. The detailed infromation as below. - [EMAIL PROTECTED] samba]# uname -a Linux ufhkglx02 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:58:04 EST 2007 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] samba]# cat /etc/redhat-release Red Hat Enterprise Linux ES release 4 (Nahant Update 6) [EMAIL PROTECTED] samba]# smbstatus -V Version 3.0.25b-0.4E.6 Currently, we are planning to migration NT domain to Samba domain, and the file/folders controlled by NT domain controller on NT server will be migrated to Linux server with Samba domain. But the problem is: How to restore the permission for file/folders. Because in Nt domain, there are some files/folders with special permissions, for example: UserA and UserB just read folderA UserC and UserD can read/write folderA. In Nt domian, it's easy to do so, we can set such permission by click Security' button in folder A's Property. But with Samba, it's so difficulty. Because folderA will be migrated to a root directory in Linux server, such as /Dept, that is: --Dept --A --.. --.. And we require all users can read/access folder Dept, but cannot access folder A except User A, B, C and D (with special permission). Maybe it can set group to meet such requirement, but we don't like to do so, because it's not flexible, we have large mounts of file/folders with special permission. Of course, we can set such settings in smb.conf: --- [Folder A] path = /folderA valid users = UserA, UserB, UserC, UserD writeable = yes read list = UserA, UserB write list = UserC, UserD create mask = 770 directory mask = 770 But with such setting, the folderA will under / directory, while not /Dept, because we have so many folders need to be shared with special permission, we don't like to set too many folders under / partition, we need to set those folders all under /Dept. Therefore, my questions are: 1. Is there any way to meet my requirement? 2. Is there any way to let user control the permissions by themselves? Because with Samba domain, user cannot change the permissin setting in folder's security button, even though we set nt acl support = Yes in Global setting in smb.conf. Does samba 3.0.25 support nt acl support? Any pointers will be very appreciated. Thank you. 3.0.25 is a little old. I suggest using 3.0.32 if you need to stay on a 3.0.x environment, change to 3.2.4 if not (only bugfixing is being done on the 3.0.x codebase, no new changes - all new fixes are being done on 3.2.x and 3.3.x). You should be able to allow users to change permissions using the NT ACL editor using Samba. Using posix acls on your backend filesystem should allow you to meet these needs. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Curious Question about Multiple CIFSD's
I know this isn't the right place to ask this question, but does anybody know if it's possible to force a Linux client machine to spawn multiple cifsd's when connecting to a SINGLE Samba Server? I seem to be running into some Linux cifs client limits with a single connection. One cifs client can talk to multiple Samba servers at around 100 MB/sec (aggregate) over a single GigE connection. But the client stumbles trying to do more than around 40-45 MB/sec to/from a single Samba Server. If I connect some shares from Samba Server A via CIFS and other shares via NFS, I can get about double the aggregate throughput that I get if I connect all by CIFS. So, the bandwidth between the two machines has the potential to be much higher than what I get just by CIFS. And of course FTP and RSYNC without encryption shows almost line speed. I am experimenting with some of the CIFS tunables (cifs_max_pending and CIFSMaxBufSize). For various reasons, I have to mount with directio so wsize and rsize aren't really relevant. But it seems the easy way out might be to somehow get multiple cifsd processes talking to the same server. Is it possible? What if I give more than one IP Address to the SAMBA Server? Can I connect some shares to one IP address and other shares to the other IP Address? Will that result in more than one cifsd? Andy Liebman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getting a list of users mapped to IP addresses they are logged in from
Didster wrote: We also have a company Wiki remove the need to manually login to the Wiki. Does any one know of a better way? NTLM auth module for apache. Assuming you are using an apache web server. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Vista Samba and Property loss
I'm running a Vista Business SP1 client against Samba 3.0.29 and when copying certain files from Vista to Samba, (does not happen in all cases), I receive an error dialog stating: name of file has properties that cannot be copied to the new location. Are you sure you want to copy this file without its properties? I have tried changing various security related smb.conf parameters without success and Google has turned up nothing. Any assistence gratefully received. Regards, Richard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4331-ge206318
The branch, v3-3-test has been updated via e20631897d5bade7827845c18ebf13ba468747fc (commit) from e63f1b2905340af79768a0333c03f56633c6a682 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit e20631897d5bade7827845c18ebf13ba468747fc Author: Volker Lendecke [EMAIL PROTECTED] Date: Mon Nov 3 17:09:40 2008 +0100 Fix bug triggered by the RAW-SAMBA3OPLOCKLOGOFF test --- Summary of changes: source/smbd/process.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/process.c b/source/smbd/process.c index 338f606..2587097 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1421,6 +1421,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in if (!change_to_user(conn,session_tag)) { reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid)); + remove_deferred_open_smb_message(req-mid); return conn; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3128-g85d2029
The branch, v3-2-test has been updated via 85d20296175a288b32fbd514a019a6028ab7a983 (commit) via aed67987cac4daa56fe04c9330a8083223a48a1d (commit) from 71ed975a608126769c9669409d46c894da3ca43e (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 85d20296175a288b32fbd514a019a6028ab7a983 Merge: aed67987cac4daa56fe04c9330a8083223a48a1d 71ed975a608126769c9669409d46c894da3ca43e Author: Jeremy Allison [EMAIL PROTECTED] Date: Tue Nov 4 04:34:30 2008 -0800 Merge branch 'v3-2-test' of ssh://[EMAIL PROTECTED]/data/git/samba into v3-2-test commit aed67987cac4daa56fe04c9330a8083223a48a1d Author: Volker Lendecke [EMAIL PROTECTED] Date: Tue Nov 4 04:33:36 2008 -0800 Ignore 3.0 style invalid group mappings during upgrade to ldb --- Summary of changes: source/groupdb/mapping_ldb.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source/groupdb/mapping_ldb.c b/source/groupdb/mapping_ldb.c index 7ce879f..68e5b4c 100644 --- a/source/groupdb/mapping_ldb.c +++ b/source/groupdb/mapping_ldb.c @@ -574,6 +574,13 @@ static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, return -1; } + if ((int)map.gid == -1) { + /* +* Ignore old invalid mappings +*/ + return 0; + } + if (!add_mapping_entry(map, 0)) { DEBUG(0,(Failed to add mapping entry during upgrade\n)); *(int *)state = -1; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - bfc59f63f3c13b1499e658c30b2185c7067c5fca
The branch, master has been updated via bfc59f63f3c13b1499e658c30b2185c7067c5fca (commit) from 0953688012dcacca5b28a19c7a2d8393428ca151 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bfc59f63f3c13b1499e658c30b2185c7067c5fca Author: Jeremy Allison [EMAIL PROTECTED] Date: Tue Nov 4 01:34:08 2008 -0800 Pass all of RAW-ACLS except for inheritence. Working on that next. Jeremy. --- Summary of changes: source3/include/proto.h |4 ++ source3/modules/vfs_acl_xattr.c |2 +- source3/smbd/open.c | 81 ++- source4/torture/raw/acls.c |2 +- 4 files changed, 85 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/proto.h b/source3/include/proto.h index 254c33d..0d4404b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -8040,6 +8040,10 @@ void reply_nttranss(struct smb_request *req); /* The following definitions come from smbd/open.c */ +NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted); NTSTATUS fd_close(files_struct *fsp); bool map_open_params_to_ntcreate(const char *fname, int deny_mode, int open_func, uint32 *paccess_mask, diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index c3b27f8..5dfe43e 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -437,7 +437,7 @@ static int open_acl_xattr(vfs_handle_struct *handle, pdesc); if (NT_STATUS_IS_OK(status)) { /* See if we can access it. */ - status = se_access_check(pdesc, + status = smb1_file_se_access_check(pdesc, handle-conn-server_info-ptok, fsp-access_mask, access_granted); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index b134e8f..480352b 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -30,6 +30,56 @@ struct deferred_open_record { }; / + SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES. +/ + +NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted) +{ + return se_access_check(sd, + token, + (access_desired ~FILE_READ_ATTRIBUTES), + access_granted); +} + +/ + Check if we have open rights. +/ + +static NTSTATUS check_open_rights(struct connection_struct *conn, + const char *fname, + uint32_t access_mask) +{ + /* Check if we have rights to open. */ + NTSTATUS status; + uint32_t access_granted = 0; + struct security_descriptor *sd; + + status = SMB_VFS_GET_NT_ACL(conn, fname, + (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION),sd); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, (check_open_rights: Could not get acl + on %s: %s\n, + fname, + nt_errstr(status))); + return status; + } + + status = smb1_file_se_access_check(sd, + conn-server_info-ptok, + access_mask, + access_granted); + + TALLOC_FREE(sd); + return status; +} + +/ fd support routines - attempt to do a dos_open. / @@ -337,6 +387,17 @@ static NTSTATUS open_file(files_struct *fsp, } else { fsp-fh-fd = -1; /* What we used to call a stat open. */ + if (file_existed) { + status = check_open_rights(conn, + path, + access_mask); + if (!NT_STATUS_IS_OK(status)) { +
[SCM] Samba Shared Repository - branch master updated - 0953688012dcacca5b28a19c7a2d8393428ca151
The branch, master has been updated via 0953688012dcacca5b28a19c7a2d8393428ca151 (commit) from d98e48c7cb5a5f2765afa874f09ec3e6cf4dd7a5 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0953688012dcacca5b28a19c7a2d8393428ca151 Author: Volker Lendecke [EMAIL PROTECTED] Date: Mon Nov 3 15:25:02 2008 +0100 Trigger (and fix) a bug in Samba3 making smbd an infinite data source A deferred open directly followed by a ulogoffX makes smbd3 send an infinite stream of ERRinvuid replies :-( --- Summary of changes: source3/smbd/process.c |1 + source4/torture/raw/raw.c|1 + source4/torture/raw/samba3misc.c | 80 ++ 3 files changed, 82 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 215ae20..bd0acbc 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1424,6 +1424,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in if (!change_to_user(conn,session_tag)) { reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid)); + remove_deferred_open_smb_message(req-mid); return conn; } diff --git a/source4/torture/raw/raw.c b/source4/torture/raw/raw.c index 0a7fc3e..138f263 100644 --- a/source4/torture/raw/raw.c +++ b/source4/torture/raw/raw.c @@ -71,6 +71,7 @@ NTSTATUS torture_raw_init(void) torture_suite_add_simple_test(suite, SAMBA3ROOTDIRFID, torture_samba3_rootdirfid); torture_suite_add_simple_test(suite, SAMBA3CHECKFSP, torture_samba3_checkfsp); + torture_suite_add_simple_test(suite, SAMBA3OPLOCKLOGOFF, torture_samba3_oplock_logoff); torture_suite_add_simple_test(suite, SAMBA3BADPATH, torture_samba3_badpath); torture_suite_add_simple_test(suite, SAMBA3CASEINSENSITIVE, torture_samba3_caseinsensitive); diff --git a/source4/torture/raw/samba3misc.c b/source4/torture/raw/samba3misc.c index 27b4d42..8cdccb3 100644 --- a/source4/torture/raw/samba3misc.c +++ b/source4/torture/raw/samba3misc.c @@ -889,3 +889,83 @@ bool torture_samba3_rootdirfid(struct torture_context *tctx) return ret; } +bool torture_samba3_oplock_logoff(struct torture_context *tctx) +{ + struct smbcli_state *cli; + NTSTATUS status; + uint16_t fnum1; + union smb_open io; + const char *fname = testfile; + bool ret = false; + struct smbcli_request *req; + struct smb_echo echo_req; + + if (!torture_open_connection(cli, tctx, 0)) { + ret = false; + goto done; + } + + smbcli_unlink(cli-tree, fname); + + ZERO_STRUCT(io); + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED; + io.ntcreatex.in.root_fid = 0; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.access_mask = + SEC_STD_SYNCHRONIZE | SEC_FILE_EXECUTE; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.fname = testfile; + status = smb_raw_open(cli-tree, tctx, io); + if (!NT_STATUS_IS_OK(status)) { + d_printf(first smb_open failed: %s\n, nt_errstr(status)); + ret = false; + goto done; + } + fnum1 = io.ntcreatex.out.file.fnum; + + /* +* Create a conflicting open, causing the one-second delay +*/ + + req = smb_raw_open_send(cli-tree, io); + if (req == NULL) { + d_printf(smb_raw_open_send failed\n); + ret = false; + goto done; + } + + /* +* Pull the VUID from under that request. As of Nov 3, 2008 all Samba3 +* versions (3.0, 3.2 and master) would spin sending ERRinvuid errors +* as long as the client is still connected. +*/ + + status = smb_raw_ulogoff(cli-session); + + if (!NT_STATUS_IS_OK(status)) { + d_printf(ulogoff failed: %s\n, nt_errstr(status)); + ret = false; + goto done; + } + + echo_req.in.repeat_count = 1; + echo_req.in.size = 1; + echo_req.in.data = (uint8_t *); + + status = smb_raw_echo(cli-session-transport, echo_req); + if (!NT_STATUS_IS_OK(status)) { + d_printf(smb_raw_echo returned %s\n, +nt_errstr(status)); + ret = false; +
[SCM] Samba Shared Repository - branch master updated - 3fa7a1b085cfba8af72062ae917ada2197de52da
The branch, master has been updated via 3fa7a1b085cfba8af72062ae917ada2197de52da (commit) via 89fac8c1b62fdaaec4015a4a04f270a1ca6c9463 (commit) from 37f4c70920fb23e28a934be3e8b6b9ea1baaa13f (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3fa7a1b085cfba8af72062ae917ada2197de52da Author: Günther Deschner [EMAIL PROTECTED] Date: Tue Nov 4 14:34:23 2008 +0100 s3-libnet_samsync: print new line in display output. Guenther commit 89fac8c1b62fdaaec4015a4a04f270a1ca6c9463 Author: Günther Deschner [EMAIL PROTECTED] Date: Tue Nov 4 19:37:55 2008 +0100 s4-smbtorture: fix some obvious copy-paste errors. Guenther --- Summary of changes: source3/libnet/libnet_samsync_display.c |6 +++--- source4/torture/rpc/samr.c | 14 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libnet/libnet_samsync_display.c b/source3/libnet/libnet_samsync_display.c index 47c032a..1dd9a1a 100644 --- a/source3/libnet/libnet_samsync_display.c +++ b/source3/libnet/libnet_samsync_display.c @@ -126,7 +126,7 @@ static void display_group_info(uint32_t rid, struct netr_DELTA_GROUP *r) static void display_delete_group(uint32_t rid) { - d_printf(Delete Group '%d' , rid); + d_printf(Delete Group '%d'\n, rid); } static void display_rename_group(uint32_t rid, struct netr_DELTA_RENAME *r) @@ -138,7 +138,7 @@ static void display_rename_group(uint32_t rid, struct netr_DELTA_RENAME *r) static void display_delete_user(uint32_t rid) { - d_printf(Delete User '%d' , rid); + d_printf(Delete User '%d'\n, rid); } static void display_rename_user(uint32_t rid, struct netr_DELTA_RENAME *r) @@ -150,7 +150,7 @@ static void display_rename_user(uint32_t rid, struct netr_DELTA_RENAME *r) static void display_delete_alias(uint32_t rid) { - d_printf(Delete Alias '%d' , rid); + d_printf(Delete Alias '%d'\n, rid); } static void display_rename_alias(uint32_t rid, struct netr_DELTA_RENAME *r) diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 3d4c993..23c288b 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -1389,7 +1389,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) !NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { - printf(ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n, + printf(OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n, nt_errstr(status)); ret = false; } @@ -1411,7 +1411,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) !NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { - printf(ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n, + printf(OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n, nt_errstr(status)); ret = false; } @@ -1428,7 +1428,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) !NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf(ChangePasswordUser3 failed, should have returned INVALID_PARAMETER (or at least 'PASSWORD_RESTRICTON') for no supplied validation hash - %s\n, + printf(OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER (or at least 'PASSWORD_RESTRICTON') for no supplied validation hash - %s\n, nt_errstr(status)); ret = false; } @@ -1440,7 +1440,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co status = dcerpc_samr_OemChangePasswordUser2(p, tctx, r); if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { - printf(ChangePasswordUser3 failed, should have returned INVALID_PARAMETER for no supplied validation hash and invalid user - %s\n, + printf(OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied validation hash and invalid user - %s\n, nt_errstr(status)); ret = false; }
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4334-g1b71b12
The branch, v3-3-test has been updated via 1b71b12259d1a123c96a75c88202a59cae475b2a (commit) from de16b8982f76e82ffd00d3ad66b24d239c5e8c9f (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit 1b71b12259d1a123c96a75c88202a59cae475b2a Author: Volker Lendecke [EMAIL PROTECTED] Date: Tue Nov 4 10:51:08 2008 +0100 Ignore 3.0 style invalid group mappings during upgrade to ldb --- Summary of changes: source/groupdb/mapping_ldb.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source/groupdb/mapping_ldb.c b/source/groupdb/mapping_ldb.c index 7ce879f..68e5b4c 100644 --- a/source/groupdb/mapping_ldb.c +++ b/source/groupdb/mapping_ldb.c @@ -574,6 +574,13 @@ static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, return -1; } + if ((int)map.gid == -1) { + /* +* Ignore old invalid mappings +*/ + return 0; + } + if (!add_mapping_entry(map, 0)) { DEBUG(0,(Failed to add mapping entry during upgrade\n)); *(int *)state = -1; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - 37f4c70920fb23e28a934be3e8b6b9ea1baaa13f
The branch, master has been updated via 37f4c70920fb23e28a934be3e8b6b9ea1baaa13f (commit) from bfc59f63f3c13b1499e658c30b2185c7067c5fca (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 37f4c70920fb23e28a934be3e8b6b9ea1baaa13f Author: Volker Lendecke [EMAIL PROTECTED] Date: Tue Nov 4 10:51:08 2008 +0100 Ignore 3.0 style invalid group mappings during upgrade to ldb --- Summary of changes: source3/groupdb/mapping_ldb.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 1a6b99f..db32155 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -574,6 +574,13 @@ static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, return -1; } + if ((int)map.gid == -1) { + /* +* Ignore old invalid mappings +*/ + return 0; + } + if (!add_mapping_entry(map, 0)) { DEBUG(0,(Failed to add mapping entry during upgrade\n)); *(int *)state = -1; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3129-g6c5d566
The branch, v3-2-test has been updated via 6c5d5665f24b7317f392d404a600170eacd2b39c (commit) from 85d20296175a288b32fbd514a019a6028ab7a983 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 6c5d5665f24b7317f392d404a600170eacd2b39c Author: Joe Smith [EMAIL PROTECTED] Date: Tue Nov 4 20:31:04 2008 +0100 Fixed typo in source/utils/net_rap.c --- Summary of changes: source/utils/net_rap.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source/utils/net_rap.c b/source/utils/net_rap.c index 8e5c42a..8ba40b6 100644 --- a/source/utils/net_rap.c +++ b/source/utils/net_rap.c @@ -856,7 +856,7 @@ int net_rap_groupmember_usage(int argc, const char **argv) net rap groupmember LIST group [misc. options] [targets]\ \n\t Enumerate users in a group\n\ \nnet rap groupmember DELETE group user [misc. options] \ -[targets]\n\t Delete sepcified user from specified group\n\ +[targets]\n\t Delete specified user from specified group\n\ \nnet rap groupmember ADD group user [misc. options] [targets]\ \n\t Add specified user to specified group\n); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4335-g7499561
The branch, v3-3-test has been updated via 7499561986253e17985ba35a816378dc4e17e749 (commit) from 1b71b12259d1a123c96a75c88202a59cae475b2a (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit 7499561986253e17985ba35a816378dc4e17e749 Author: Joe Smith [EMAIL PROTECTED] Date: Tue Nov 4 20:31:04 2008 +0100 Fixed typo in source/utils/net_rap.c --- Summary of changes: source/utils/net_rap.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source/utils/net_rap.c b/source/utils/net_rap.c index 32f4dd3..570e951 100644 --- a/source/utils/net_rap.c +++ b/source/utils/net_rap.c @@ -1024,7 +1024,7 @@ int net_rap_groupmember_usage(struct net_context *c, int argc, const char **argv net rap groupmember LIST group [misc. options] [targets] \n\t Enumerate users in a group\n \nnet rap groupmember DELETE group user [misc. options] -[targets]\n\t Delete sepcified user from specified group\n +[targets]\n\t Delete specified user from specified group\n \nnet rap groupmember ADD group user [misc. options] [targets] \n\t Add specified user to specified group\n); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - 95d1825a51544eba8e2fd4d3cfccaf9c240b7ce6
The branch, master has been updated via 95d1825a51544eba8e2fd4d3cfccaf9c240b7ce6 (commit) from 6b4d48c4bf3e538d49d0579bffce0c5d33f4dbe9 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 95d1825a51544eba8e2fd4d3cfccaf9c240b7ce6 Author: Volker Lendecke [EMAIL PROTECTED] Date: Tue Nov 4 21:51:17 2008 +0100 Fix a const warning --- Summary of changes: source3/smbd/trans2.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 9e15001..d0e3a68 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -5473,7 +5473,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, / static NTSTATUS smb_set_posix_lock(connection_struct *conn, - const struct smb_request *req, + struct smb_request *req, const char *pdata, int total_data, files_struct *fsp) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4333-gde16b89
The branch, v3-3-test has been updated via de16b8982f76e82ffd00d3ad66b24d239c5e8c9f (commit) via cc8207790ef2fc38635415501a83a0161d48015a (commit) from e20631897d5bade7827845c18ebf13ba468747fc (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit de16b8982f76e82ffd00d3ad66b24d239c5e8c9f Merge: cc8207790ef2fc38635415501a83a0161d48015a e20631897d5bade7827845c18ebf13ba468747fc Author: Jeremy Allison [EMAIL PROTECTED] Date: Tue Nov 4 01:35:13 2008 -0800 Merge branch 'v3-3-test' of ssh://[EMAIL PROTECTED]/data/git/samba into v3-3-test commit cc8207790ef2fc38635415501a83a0161d48015a Author: Jeremy Allison [EMAIL PROTECTED] Date: Tue Nov 4 01:34:35 2008 -0800 Pass all of RAW-ACLS except for inheritence. Working on that next. Jeremy. --- Summary of changes: source/include/proto.h |4 ++ source/modules/vfs_acl_xattr.c |2 +- source/smbd/open.c | 81 +++- 3 files changed, 84 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source/include/proto.h b/source/include/proto.h index ea7481c..b432e6b 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -9899,6 +9899,10 @@ void reply_nttranss(struct smb_request *req); /* The following definitions come from smbd/open.c */ +NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted); NTSTATUS fd_close(files_struct *fsp); bool map_open_params_to_ntcreate(const char *fname, int deny_mode, int open_func, uint32 *paccess_mask, diff --git a/source/modules/vfs_acl_xattr.c b/source/modules/vfs_acl_xattr.c index d62d4a6..e323f8e 100644 --- a/source/modules/vfs_acl_xattr.c +++ b/source/modules/vfs_acl_xattr.c @@ -437,7 +437,7 @@ static int open_acl_xattr(vfs_handle_struct *handle, pdesc); if (NT_STATUS_IS_OK(status)) { /* See if we can access it. */ - status = se_access_check(pdesc, + status = smb1_file_se_access_check(pdesc, handle-conn-server_info-ptok, fsp-access_mask, access_granted); diff --git a/source/smbd/open.c b/source/smbd/open.c index 967e0c5..adbe980 100644 --- a/source/smbd/open.c +++ b/source/smbd/open.c @@ -30,6 +30,56 @@ struct deferred_open_record { }; / + SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES. +/ + +NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd, + const NT_USER_TOKEN *token, + uint32_t access_desired, + uint32_t *access_granted) +{ + return se_access_check(sd, + token, + (access_desired ~FILE_READ_ATTRIBUTES), + access_granted); +} + +/ + Check if we have open rights. +/ + +static NTSTATUS check_open_rights(struct connection_struct *conn, + const char *fname, + uint32_t access_mask) +{ + /* Check if we have rights to open. */ + NTSTATUS status; + uint32_t access_granted = 0; + struct security_descriptor *sd; + + status = SMB_VFS_GET_NT_ACL(conn, fname, + (OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION),sd); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, (check_open_rights: Could not get acl + on %s: %s\n, + fname, + nt_errstr(status))); + return status; + } + + status = smb1_file_se_access_check(sd, + conn-server_info-ptok, + access_mask, + access_granted); + + TALLOC_FREE(sd); + return status; +} + +/ fd support routines - attempt to do a dos_open. / @@ -337,6 +387,17 @@ static NTSTATUS open_file(files_struct *fsp, } else {
[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3126-g71ed975
The branch, v3-2-test has been updated via 71ed975a608126769c9669409d46c894da3ca43e (commit) from ea0858842d20966796bb47f20bae04bbb7232643 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log - commit 71ed975a608126769c9669409d46c894da3ca43e Author: Volker Lendecke [EMAIL PROTECTED] Date: Mon Nov 3 17:09:40 2008 +0100 Fix bug triggered by the RAW-SAMBA3OPLOCKLOGOFF test --- Summary of changes: source/smbd/process.c |1 + 1 files changed, 1 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source/smbd/process.c b/source/smbd/process.c index cb465ae..288d86b 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1405,6 +1405,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in if (!change_to_user(conn,session_tag)) { reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid)); + remove_deferred_open_smb_message(req-mid); return conn; } -- Samba Shared Repository
Build status as of Wed Nov 5 00:00:02 2008
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2008-11-04 00:00:48.0 + +++ /home/build/master/cache/broken_results.txt 2008-11-05 00:00:12.0 + @@ -1,4 +1,4 @@ -Build status as of Tue Nov 4 00:00:01 2008 +Build status as of Wed Nov 5 00:00:02 2008 Build counts: Tree Total Broken Panic @@ -11,13 +11,13 @@ lorikeet-heimdal 29 20 0 pidl 19 2 0 ppp 13 13 0 -rsync33 10 0 +rsync32 10 0 samba-docs 0 0 0 samba-gtk5 5 0 -samba_3_X_devel 29 18 0 -samba_3_X_test 29 16 0 +samba_3_X_devel 29 20 0 +samba_3_X_test 29 17 0 samba_4_0_test 31 27 1 smb-build31 7 0 -talloc 33 32 0 +talloc 31 32 0 tdb 33 12 0